Loophole Timing Attacks on Shared Event Loops in Chrome Pepe Vila - - PowerPoint PPT Presentation
Loophole Timing Attacks on Shared Event Loops in Chrome Pepe Vila November 22, 2016 Pepe Vila Loophole November 22, 2016 1 / 22 Introduction Event-driven programming Event loops A timing side-channel on event loops Pepe Vila Loophole
Timing Attacks on Shared Event Loops in Chrome Pepe Vila November 22, 2016
Pepe Vila Loophole November 22, 2016 1 / 22
Event-driven programming Event loops A timing side-channel on event loops
Pepe Vila Loophole November 22, 2016 2 / 22
EDP is a programming paradigm for GUI, web clients, networks and server-side
1https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages
1https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
EDP is a programming paradigm for GUI, web clients, networks and server-side The flow of the program is determined by events or messages Examples: Nginx, Node.js or memcached Used for message passing: inter-(thread | process) communication HTML5 standard 1 mandates user agents to use EDP:
1https://html.spec.whatwg.org/#event-loop Pepe Vila Loophole November 22, 2016 3 / 22
Event loop, message dispatcher, message loop, or run loop
Pepe Vila Loophole November 22, 2016 4 / 22
Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher:
Q = []; while (true) { M = Q.shift (); // dequeue process(M); }
Pepe Vila Loophole November 22, 2016 4 / 22
Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher:
Q = []; while (true) { M = Q.shift (); // dequeue process(M); }
If queue is empty, waits until an event arrives
Pepe Vila Loophole November 22, 2016 4 / 22
Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher:
Q = []; while (true) { M = Q.shift (); // dequeue process(M); }
If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously
Pepe Vila Loophole November 22, 2016 4 / 22
Event loop, message dispatcher, message loop, or run loop FIFO queue & dispatcher:
Q = []; while (true) { M = Q.shift (); // dequeue process(M); }
If queue is empty, waits until an event arrives Blocking operations (e.g., database and network requests) are dealt with asynchronously Simple concurrency model for programmers
Pepe Vila Loophole November 22, 2016 4 / 22
Event loops are susceptible to timing side-channel attacks:
Pepe Vila Loophole November 22, 2016 5 / 22
Event loops are susceptible to timing side-channel attacks: when shared between mutually distrusting programs
Pepe Vila Loophole November 22, 2016 5 / 22
“Loophole” Exploit a timing side-channel in the Chrome web browser to break user privacy using machine learning techniques
Pepe Vila Loophole November 22, 2016 6 / 22
Same Origin Policy (SOP) Multi-process Shared event loops
Pepe Vila Loophole November 22, 2016 7 / 22
Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port )
Pepe Vila Loophole November 22, 2016 8 / 22
Central concept in the web security model Script from a site A can not access data from site V if origins differ: Origin := (scheme, domain, port ) Origin 1 Origin 2 http://example.com:8080 http://example.com http://mail.example.com http://app.example.com https://foo.example.com https://foo.example.com https://example.com http://example.com
Pepe Vila Loophole November 22, 2016 8 / 22
Multi-process: 1 privileged host — N sandboxed renderers
2Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2
2Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
Multi-process: 1 privileged host — N sandboxed renderers Each process has multiple threads. Each thread one message loop 2 DEMO: Chrome’s task manager
2Chrome’s implementation of an event loop Pepe Vila Loophole November 22, 2016 9 / 22
Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme
Pepe Vila Loophole November 22, 2016 10 / 22
Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP)
Pepe Vila Loophole November 22, 2016 10 / 22
Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer
◮ When using iframes, linked nagivation or |processes| > T ◮ T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more Pepe Vila Loophole November 22, 2016 10 / 22
Different policies for mapping applications into renderer processes (default: process-per-site-instance) A Site is a registered domain plus a scheme (different than SOP) Sharing the renderer
◮ When using iframes, linked nagivation or |processes| > T ◮ T = 32 for 4 GB of RAM, and T = 70 for 8 GB or more
Sharing the host process
◮ One for all renderers ◮ IPC through I/O thread Pepe Vila Loophole November 22, 2016 10 / 22
Main thread of a renderer I/O thread of the host process
Pepe Vila Loophole November 22, 2016 11 / 22
Main thread of renderer processes
Pepe Vila Loophole November 22, 2016 12 / 22
Main thread of renderer processes
◮ runs resource parsing, style calculation, layout, painting and Javascript ◮ each task blocks the event loop for a while ◮ when 2 pages share the process, the main thread’s event loop is shared ◮ A can eavesdrop information from V ’s tasks Pepe Vila Loophole November 22, 2016 12 / 22
Main thread of renderer processes
◮ runs resource parsing, style calculation, layout, painting and Javascript ◮ each task blocks the event loop for a while ◮ when 2 pages share the process, the main thread’s event loop is shared ◮ A can eavesdrop information from V ’s tasks
I/O thread of the host process
◮ manages IPC with all children renderers ◮ demultiplexes all UI events to each corresponding renderer ◮ multiplexes all network requests from renderers ◮ each task/message/event also blocks the event loop Pepe Vila Loophole November 22, 2016 12 / 22
Main thread of renderer processes
◮ runs resource parsing, style calculation, layout, painting and Javascript ◮ each task blocks the event loop for a while ◮ when 2 pages share the process, the main thread’s event loop is shared ◮ A can eavesdrop information from V ’s tasks
I/O thread of the host process
◮ manages IPC with all children renderers ◮ demultiplexes all UI events to each corresponding renderer ◮ multiplexes all network requests from renderers ◮ each task/message/event also blocks the event loop
Some tasks are very fast (<< 0.1 ms). We need high timing resolution.
Pepe Vila Loophole November 22, 2016 12 / 22
Monitor the event loop from an arbitrary HTML page running Javascript:
function loop () { save( performance .now ()); // high -resolution timestamp
recursive invocation } self.onmessage = loop; // set event handler
first async task
Pepe Vila Loophole November 22, 2016 13 / 22
Monitor the event loop from an arbitrary HTML page running Javascript:
function loop () { save( performance .now ()); // high -resolution timestamp
recursive invocation } self.onmessage = loop; // set event handler
first async task
1 Generates a trace of timing measurements 2 Resolution ≈ 25 µs Pepe Vila Loophole November 22, 2016 13 / 22
Monitor the loop from any HTML page running Javascript:
function loop () { save( performance .now ()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop ();
Pepe Vila Loophole November 22, 2016 14 / 22
Monitor the loop from any HTML page running Javascript:
function loop () { save( performance .now ()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop ();
Performs an invalid network request. Task is posted into the I/O event to be processed asynchronously. Fails quick and triggers our “catch” callback.
1 Resolution ≈ 0.5 ms Pepe Vila Loophole November 22, 2016 14 / 22
Monitor the loop from any HTML page running Javascript:
function loop () { save( performance .now ()); fetch(new Request(’http ://0.0.0.0 ’)).catch(loop); } loop ();
Performs an invalid network request. Task is posted into the I/O event to be processed asynchronously. Fails quick and triggers our “catch” callback.
1 Resolution ≈ 0.5 ms 2 NEW METHOD: We obtain a resolution of < 0.1 ms! :D Pepe Vila Loophole November 22, 2016 14 / 22
Covert channel Web page fingerprinting User action detection
Pepe Vila Loophole November 22, 2016 15 / 22
Covert-channel using timing differences bandwidth of 200 bit/s on same renderer, and 5 bit/s across processes VIDEO: https://www.youtube.com/watch?v=IlndCZmRDmI
Pepe Vila Loophole November 22, 2016 16 / 22
Pepe Vila Loophole November 22, 2016 17 / 22
Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping)
Pepe Vila Loophole November 22, 2016 17 / 22
Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi, yj) ≥ 0
Pepe Vila Loophole November 22, 2016 17 / 22
Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi, yj) ≥ 0 Find optimal alignment φ such that: DTW (X, Y ) = min
φ dφ(X, Y )
Pepe Vila Loophole November 22, 2016 17 / 22
Dynamic Time Warping Distance metric for time series: X = (x1, ..., xn) and Y = (y1, ..., ym) Robust to horizontal compressions and streches (warping) Computes cross-distance matrix: M(i, j) = f (xi, yj) ≥ 0 Find optimal alignment φ such that: DTW (X, Y ) = min
φ dφ(X, Y )
Cost O(n · m) → We use Lemire’s lower bound.
Pepe Vila Loophole November 22, 2016 17 / 22
Figure: Warping matrix with optimal alignment between two time series
Pepe Vila Loophole November 22, 2016 18 / 22
Experiments 500 main pages from Alexa’s Top sites
Pepe Vila Loophole November 22, 2016 19 / 22
Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread)
Pepe Vila Loophole November 22, 2016 19 / 22
Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread)
Pepe Vila Loophole November 22, 2016 19 / 22
Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread)
testing multiple configuration values
Pepe Vila Loophole November 22, 2016 19 / 22
Experiments 500 main pages from Alexa’s Top sites 30 traces × page (monitoring main thread) 6 traces × page (monitoring IO thread)
testing multiple configuration values k-fold cross-validation
Pepe Vila Loophole November 22, 2016 19 / 22
Renderer results: 65%
Figure: Matching rates with best configuration and multiple tolerance
Host process results: 25%
Figure: Matching rates with multiple configurations and tolerance
Pepe Vila Loophole November 22, 2016 20 / 22
LoopScan tool for visualizing event loops in real-time “see” mouse movement, scrolling, clicks or keystrokes in other tabs DEMO: http://vwzq.net/lab/ioloop/monitor.html
Pepe Vila Loophole November 22, 2016 21 / 22
Resource sharing is dangerous It is possible to spy other tabs/pages in the same browser Machine learning is useful for side-channel attacks
Pepe Vila Loophole November 22, 2016 22 / 22
Resource sharing is dangerous It is possible to spy other tabs/pages in the same browser Machine learning is useful for side-channel attacks Future work:
Pepe Vila Loophole November 22, 2016 22 / 22
Pepe Vila Loophole November 22, 2016 22 / 22